Cyber insecurity: the high stakes of data protection in an interconnected world

November 16, 2017

By The Canadian Press

TORONTO — What is nearly imperceptible, leaks important secrets and can keep Canada’s top bankers up at night?

A cyberattack.

It’s not a punch line but a seriously haunting prospect for those in the upper echelons of Canadian governments and corporations.

When Victor Dodig checks his phone in the morning, the chief executive of CIBC dreads reading that any government or corporation, anywhere in the world, has been hacked, he told an Ontario Securities Commission panel last month.

“Obviously, it would be more of a concern if our institution was, but we’re so interconnected that one weak link creates an issue for all of us.”

Of all the nightmare scenarios that run through Bank of Canada governor Stephen Poloz’s head, the threat of a cyberattack is “more worrisome than all the other stuff,” he told The Canadian Press in an October interview.

Cybersecurity experts fear government and corporate defensive capabilities are not keeping pace with growing ranks of sophisticated hackers, a sentiment underscored by recent events.

This week The New York Times reported that the National Security Agency — America’s largest intelligence organization known for its own clandestine hacking operations — had been infiltrated by a hack, an insider’s leak, or both. The cyberweapons it developed to spy on other countries are now being used against it and a 15-month investigation has not produced a clear source of the leak.

The latest revelations come two months after Equifax Inc. disclosed that nearly half the U.S. population had sensitive personal information stolen by hackers who exploited a weakness in its system. The data breach was announced in September, nearly five months after hackers first broke in. They downloaded sensitive information undetected for almost two months before Equifax discovered the breach.

While American politicians lambasted the company for its slow response, the political response in Canada was decidedly less strident, despite the fact that the company declined for weeks to identify just how many Canadians had been affected.

Equifax Canada’s silence was enabled by the lack of federal laws to force companies to disclose breaches and theft of information or money.

But that could change if a mandatory data breach reporting requirement amendment to the Personal Information Protection and Electronic Documents Act is passed. It must undergo several more stages after a consultation period for a draft closed last month, more than two years after it was first proposed.

In the meantime, cyberattacks have become increasingly routine.

Nearly 60 per cent of Canadian businesses who responded to an Ipsos poll in February said they either suspect or know for certain that they were hacked last year, while more than one-third of Canadian individuals said in an Accenture survey they have been the target of a cyberattack.

Hacks involving extortion were up 50 per cent last year, according to a report by Verizon Communications. And that company knows all too well the fallout from a hack — it recently acquired Yahoo Inc., the victim of the largest data breach in history, in which three billion user accounts were compromised.

Estimates suggest cybercrime costs the Canadian economy between $3 billion and $5 billion a year. The average per company cost of a data breach has risen as high as $6 million, according to the Canadian Chamber of Commerce.

The Bank of Canada has warned that Canadian banks are vulnerable to a cascading series of attacks that could not only undermine confidence in the financial system, but spill over into other sectors, such as energy or water systems.

Hacking has already been deployed as a weapon of war.

The first known attack to take out an electrical grid using malicious software occurred two years ago, in the middle of Russia’s siege of Ukraine. Russian hackers have undermined almost every sector in Ukraine, including the Ukrainian tax filing system, pharmacies’ prescription tracking system and the radiation monitoring system at Chernobyl.

The hacks of Ashley Madison, Yahoo and now Equifax have sparked alarming headlines, federal investigations and passing political ire, but have amounted to little real change, leaving our institutions vulnerable to Poloz’s nightmare cyberattack that could grind the gears of modern civilization to a halt — a scenario that suddenly doesn’t seem so far-fetched.